Application Note

Using the DirectControl Kerberos Utilities

Easily integrate Kerberos utilities with Active Directory using the Centrify-enabled version of Kerberos utilities

Centrify DirectControl uses Kerberos technology to authenticate UNIX sessions with Active Directory credentials. One of the advantages of using Kerberos is that it enables applications and many common network utilities to be used without having to re-enter user and password information. Since Kerberos is built into DirectControl, it is possible to use standard Kerberos utilities to leverage secure, authenticated, ticket-based single sign-on sessions.

Centrify has compiled an optional package that includes Kerberized utilities and services. These are based on the latest Kerberos distribution from MIT, and the utilities can be used with the standard DirectControl product. The Application Note describes how to install, configure and use the components included with the Centrify DirectControl Kerberos Utilities package.

You can download the Centrify-enabled Kerberos Utilities along with Centrify Express, our free Active Directory-based solution for authentication and single sign-on to cross-platform systems.

About the Centrify-Enabled Kerberos Utilities

Centrify has made a number of enhancements to the Kerberos environment that make deployment of Kerberos applications simpler. Some of these enhancements include:

  • Automated setup of Kerberos. When you join a UNIX, Linux or Mac computer to an Active Directory domain using DirectControl, the setup of all Kerberos-related system configuration files is automatically done for you. For example, the file /etc/krb5.conf is configured correctly to use the Active Directory domain controller as the Kerberos key distribution center. Having these configuration files automatically set up for you means that Kerberized UNIX applications will "just work" using Active Directory as the Kerberos authority.

  • Removing the need for .k5login. Normally a Kerberized login-type application such as ssh, telnet or rsh requires a .k5login file on the target system. The creation of these files can become a significant administrative burden. Centrify removes the need for this file in almost all cases. See the Application Note for a detailed explanation of when a .k5login file is needed.

  • Remove the need for host-to-realm mapping. If you have disjoint DNS and Active Directory domain names, then you normally need host-to-realm name mappings in the Kerberos configuration file. The maintenance of these entries can be a significant administrative overhead. Centrify's Kerberos implementation removes the need for these entries.

  • Secure canonicalization. In many cases Kerberos needs to convert a partial host name to a fully qualified name that includes its realm name. This process is called canonicalization. For example, the host name in the command:

    telnet -a system1

    will actually be interpreted as system1.centrify.com@CENTRIFY.COM if the system is part of the CENTRIFY.COM realm. MIT's Kerberos distribution uses a combination of DNS and host-to-realm mappings to achieve this translation. The use of DNS is inherently insecure, and RFC 1510 (the main Kerberos standard) specifically recommends against using it but does not offer an alternative. DirectControl implements a more secure mechanism that uses Active Directory's knowledge of the domain and does not rely on DNS.

Supported Platforms

Summary
Systems A-Z 32-bit 64-bit
Click Show Details for a list of every platform, including notifications of upcoming or recently added versions.
Learn More CentOS Linux 2, 3, 4, 5 x86 Supported
3, 4, 5 x86_64 Supported
Learn More Citrix XenServer 4, 5 Supported
Learn More Debian Linux 3.0, 3.1, 4.0, 5.0, 6.0 x86 Supported
3.1, 4.0, 5.0, 6.0 x86_64 Supported
Learn More Hewlett Packard HP-UX 11.00, 11.11, 11.23, 11.31 PA-RISC Supported Supported
11.22, 11.23, 11.31 Itanium Supported
Learn More IBM AIX 4.3.3, 5.1, 5.2, 5.3, 6.1, 7.1 Supported Supported
Learn More Mandriva Linux One 2008, 2009, 2010, 2011 x86 Supported
Ent. Server 5, 5.2 x86 Supported
Ent. Server 5, 5.2 x86_64 Supported
Learn More Novell SUSE Linux Ent. Desktop 9.0, 9.x, 10, 11 x86 Supported
Ent. Desktop 11 x86_64 Supported
Ent. Server 8, 9, 10, 11 x86 Supported
Ent. Server 9, 10, 11 x86_64 Supported
Ent. Server 9, 10, 11 PPC Supported Supported
Learn More OpenSolaris 06/2009 SPARC Supported
11/2008, 06/2009 x86 Supported
11/2008, 06/2009 x86_64 Supported
Learn More OpenSUSE Linux 10.x, 11.x x86 Supported
10.x, 11.x x86_64 Supported
Learn More Oracle Enterprise Linux 4, 5, 6 x86 Supported
4, 5, 6 x86_64 Supported
Learn More Oracle Solaris 2.6, 2.7 (7), 8, 9, 10 SPARC Supported Supported
9, 10 x86 Supported
10 x86_64 Supported
Learn More Red Hat Enterprise Linux Desktop 5, 6 x86 Supported
Desktop 5, 6 x86_64 Supported
AS/ES/WS 2.1, 3, 4, 5, 6 x86 Supported
AS/ES/WS 3, 4, 5, 6 x86_64 Supported
AS/ES/WS 3, 4, 5, 6 PPC Supported Supported
AS/ES/WS 4, 5, 6 Itanium Supported
Learn More Red Hat Fedora 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 x86 Supported
3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 x86_64 Supported
Learn More Red Hat Linux 7.2, 7.3, 8, 9 x86 Supported
Learn More Scientific Linux 3, 4, 5, 6 x86 Supported
3, 4, 5, 6 x86_64 Supported
Learn More Ubuntu Linux 6.x, 7.x, 8.x, 9.x, 10.x, 11.04, 11.10 x86 Supported
6.x, 7.x, 8.x, 9.x, 10.x, 11.04, 11.10 x86_64 Supported
Learn More VMware ESX Server 2.1, 2.5.0, 2.5.1, 2.5.x, 3.0.x, 3.5 x86 Supported
4.0, 4.1 x86_64 Supported